Software Release - fwknop-0.9.8

Added the ability to ignore old SPA packets through use of the
client-side time stamp. This means that an attacker cannot intercept an
SPA packet, prevent it from being forwarded to its intended destination,
and then put the packet on the wire at some time outside of the allowed
time window. There are two new configuration options in fwknop.conf
"ENABLE_SPA_PACKET_AGING" and "MAX_SPA_PACKET_AGE" that control the
length of the acceptable time window (2 minutes by default). This
requires some level of synchronization between the fwknop client and the
fwknopd server, but this is not onerous through the use of NTP. This
feature is enabled by default, and the idea for it was contributed by
Sebastien J.

Completely re-worked IPTables::ChainMgr to support the return of
iptables error messages that are collected via stderr. This is critical
to fixing any bugs where fwknopd could die as a result of a poorly
crafted iptables command.

but no information would be returned to the user.

Added the ability to specify the position for both the jump rule into
the fwknopd chains as well as the position for new rules within the
fwknopd chains via the -I argument to iptables. This fixes a bug where
the user was given the impression that the IPTABLES_AUTO_RULENUM would
accomplish this (IPTABLES_AUTO_RULENUM has been removed).

Updated fwknopd to require < 1500 byte payload length before attempting
to decrypt. Also, GnuPG decrypts are not attempted unless the encrypted
payload is at least 400 bytes long (this is conservative since even
encrypting a single byte with a 1024-bit key will result in about 340
bytes of encrypted data).

Added the --gpg-default-key option to have fwknop use the default GnuPG
key that is defined in the ~/.gnupg/options file.